Abstract:

Safe separation between aircraft is the primary consideration in
air traffic control. To achieve the required level of assurance for this
safety-critical application, the Automated Airspace
Concept (AAC) proposes three levels of conflict detection and resolution.
Recently, a high-level operational concept
was proposed to define the cooperation between components in the AAC. However, the proposed coordination
protocol has not been formally studied. We use formal verification
techniques to ensure there are no potentially catastrophic design flaws
remaining in the AAC design before the next stage of production.
We formalize the high-level operational concept, which was previously described only in natural language, in both NuSMV and CadenceSMV, and perform model validation by checking against temporal logic specifications in LTL and CTL that we derive from the system description.
We write LTL specifications describing safe system operations and use model checking for system verification.
We employ specification debugging to ensure correctness of
both sets of formal specifications and model abstraction to reduce model checking time and enable fast, design-time checking.
We analyze two counterexamples revealing unexpected emergent behaviors in the operational concept that triggered design changes by system engineers to meet safety standards.
Our experience report illuminates the application of formal methods in real safety-critical system development by detailing a complete end-to-end design-time verification process including all models and specifications.
Our contributions include:
a derivation of the operational procedure of the AAC in formal semantics
that can be used for both model checking and as a prototype for implementation;
an adaptation of the state-of-the-art in specification debugging and model abstraction techniques
for efficient design-time feedback, verification, and validation for both the system and specifications;
and an analysis revealing unexpected emergent behaviors in the system not found by other verification efforts, delivering
counterexamples which pinpoint their locations. We include examples of the models both before and after system designers changed the design in response to our counterexamples to ensure compliance with safety requirements.

Our models and specifications can be checked using the symbolic model checker NuSMV, which is free and open source and can be downloaded here. The User Manual can be found here.

Equivalent models and specifications with the syntax slightly modified to enable checking using the symbolic model checker CadenceSMV are also provided. We used the precompiled binary available here. The User Manual can be found here and a tutorial can be found here (or here).

Disclaimer: The files distributed on this page contain research prototype NuSMV code published in the paper above. The files are compatible with NuSMV version 2.5.x and the CadenceSMV compiled binary smv.10-11-02p46.unknown_Linux_2.4.2-2; we make no claims regarding compatibility with any other versions. Please feel free to email me concerning clarifications, bugs, or other corrections.

AAC Complete Logic Model

The NuSMV and CadenceSMV logic models of the high-level AAC architecture, including all specifications for both System Design Validation and System Requirements Verification can be found here:

This full-detail model contains 97 Boolean variables.
The time required to verify all specifications is more than 10 hours using NuSMV and over 1 hour using Cadence SMV on an
Intel Xeon 2.53GHz workstation running 64-bit CentOS Linux (kernel version 2.6.18) with 36GB RAM.

Though we could not check larger models with available computing resources, we also created models with 4 planes. They can be found here:

The set of possible executions in the abstract model is a strict super-set of the possible executions in the original model, above.

The abstract model with 3 planes takes only a little more than a minute to verify all properties for NuSMV and a few seconds for Cadence SMV. The abstract model with 4 planes requires minimally longer to check than with 3 planes. It is important to note that for the 4-plane models, only the abstract models (and not the complete models) could be checked with our available computing resources.

AAC Verification Commands

set dynamic_reorder -- enables dynamic reordering of BDD variables in the CUDD package
read_model -i MODEL.smv -- read the logic model in to NuSMV, replace MODEL.smv the file name of the model you want to verify.
go -- initialize the system for the verification
print_bdd_stats -- print out the BDD statistics and parameters
check_ltlspec -P "property-name" -- perform LTL model checking, replace property-name with the LTL property name (written as "LTLSPEC NAME property-name :=" in our model) you want to verify.
check_ctlspec -P "property-name" -- perform CTL model checking, replace property-name with the CTL property name (written as "CTLSPEC NAME property-name :=" in our model) you want to verify.
time -- provides a simple CPU elapsed time value
print_bdd_stats -- print out the BDD statistics and parameters
quit -- end of verification run